Solved Google webhp redirection

Status
Not open for further replies.
Z

zeromk5

Posts: 15   +0
Hey guys, I just saw a thread that sounds similar to this but I decided to make my own thread because the rules warn us not to follow other people's directions. Hopefully I'm not too much of a bother.

Basically, I have a problem where clicking on search results in Google will redirect me to a completely different page, some sort of fishy search engine site. Not only that, Firefox will sometimes randomly open up a new tab addressed "www.google.com/webhp" which I don't think is the real Google at all and I immediately close it.

I'm not sure if this is related, but around the same time I got this problem, clicking on my Firefox quick launch button, or double clicking on the shortcut won't open up a window of Firefox, and instead I have to double click on one of those internet address shortcuts which lead to a specific site and then go to whichever site I want.

Also, I often get an error message saying "generic host process for win32 services has encountered a problem". This'll turn my taskbar into the classic Windows XP theme, and completely shut off my sound and volume control, and maybe 5 to 10 minutes later, it disconnects my internet connection.

I know this seems a lot at once, but it just suddenly started happening 2 or 3 days ago, and I'm not sure of what the cause of this is. Anyway, I managed to follow the 8 steps and got the log files. I'll copy paste them into separate posts if that's okay.
 
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5247

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/10/2010 11:05:04 PM
mbam-log-2010-12-10 (23-05-04).txt

Scan type: Quick scan
Objects scanned: 140133
Time elapsed: 2 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-12-10 23:12:16
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 Hitachi_HDT721010SLA360 rev.ST6OA3AA
Running: s5rdc7nf.exe; Driver: C:\DOCUME~1\Test\LOCALS~1\Temp\kgnyqpob.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8B28239B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8B28239B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8B28239B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8B28239B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8B28239B
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HDT721010SLA360_________________ST6OA3AA#5&2ea7e938&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- EOF - GMER 1.0.15 ----
 
DDS (Ver_10-12-05.01) - NTFSx86
Run by Test at 23:12:37.17 on Fri 12/10/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2531 [GMT 11:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\WINDOWS\vsnp2std.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\Program Files\Razer\Arctosa\razerhid.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Documents and Settings\Test\Bluebirds\BlueBirds.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Test\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Messenger Plus Live Australia Toolbar: {ea0969b3-6e12-4ac0-b6c9-148e81247954} - c:\program files\messenger_plus_live_australia\tbMes1.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\mi1933~1\office14\GROOVEEX.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\mi1933~1\office14\URLREDIR.DLL
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Messenger Plus Live Australia Toolbar: {ea0969b3-6e12-4ac0-b6c9-148e81247954} - c:\program files\messenger_plus_live_australia\tbMes1.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: Messenger Plus Live Australia Toolbar: {ea0969b3-6e12-4ac0-b6c9-148e81247954} - c:\program files\messenger_plus_live_australia\tbMes1.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [bluebirds] c:\documents and settings\test\bluebirds\BlueBirds.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Six Engine] "c:\program files\asus\epu-4 engine\FourEngine.exe" -r
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [EPSON Stylus C45 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB002" /M "Stylus C45"
mRun: [snp2std] c:\windows\vsnp2std.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [DeathAdder] c:\program files\razer\deathadder\razerhid.exe
mRun: [Arctosa] "c:\program files\razer\arctosa\razerhid.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\test\startm~1\programs\startup\warkey~1.lnk - c:\program files\warkeys\autowarkey\autohotkey\AutoHotkey.exe
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\mi1933~1\office14\ONBttnIE.dll/105
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mi1933~1\office14\GROOVEEX.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\test\applic~1\mozilla\firefox\profiles\91f8333l.default\
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\test\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\test\application data\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\progra~1\mi1933~1\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\mi1933~1\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: Flash Video Downloader - Youtube Downloader: artur.dubovoy@gmail.com - c:\docume~1\test\applic~1\mozilla\firefox\profiles\91f8333l.default\extensions\artur.dubovoy@gmail.com
FF - Extension: Personas: personas@christopher.beard - c:\docume~1\test\applic~1\mozilla\firefox\profiles\91f8333l.default\extensions\personas@christopher.beard
FF - Extension: Veoh Video Compass: searchrecs@veoh.com - c:\docume~1\test\applic~1\mozilla\firefox\profiles\91f8333l.default\extensions\searchrecs@veoh.com

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-12-10 11608]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-10 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-10 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-10 61960]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-8-4 20072]
R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-8-1 20328]
R2 Remote Solver for Flow Simulation 2010;Remote Solver for Flow Simulation 2010;c:\program files\solidworks corp\solidworks flow simulation\bincfw\StandAloneSlv.exe [2009-11-23 71464]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2010-6-12 5010288]
R3 ArcFltr;Arctosa Keyboard;c:\windows\system32\drivers\Arctosa.sys [2010-8-11 16896]
R3 danewFltr;NewDeathAdder Mouse;c:\windows\system32\drivers\danew.sys [2010-4-25 11136]
R3 vHidDev;Razer Gaming Device;c:\windows\system32\drivers\vHidDev.sys [2010-4-25 5760]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-4 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-9-8 1684736]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\solidworks corp\solidworks\swscheduler\DTSCoordinatorService.exe [2010-1-20 87336]
S3 DVDACCSS;DVDACCSS;\??\c:\progra~1\dvdacc~1\dvdax.sys --> c:\progra~1\dvdacc~1\DVDAX.SYS [?]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\test\locals~1\temp\nfm61.tmp --> c:\docume~1\test\locals~1\temp\NFM61.tmp [?]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\garena\safedrv.sys --> c:\program files\garena\safedrv.sys [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-1-21 30963576]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-6-12 16168]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]

=============== Created Last 30 ================

2010-12-10 11:52:40 -------- d-----w- c:\windows\system32\wbem\Logs
2010-12-10 09:13:21 -------- d-----w- c:\windows\system32\NtmsData
2010-12-10 09:12:28 -------- d-----w- c:\docume~1\test\applic~1\Avira
2010-12-10 09:08:58 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-12-10 09:08:57 -------- d-----w- c:\program files\Avira
2010-12-10 09:08:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-12-09 11:36:07 -------- d-sha-r- C:\cmdcons
2010-12-09 11:32:23 89088 ----a-w- c:\windows\MBR.exe
2010-12-08 01:14:04 83249512 ----a-w- c:\program files\common files\windows live\.cache\wlc7B.tmp
2010-12-05 12:32:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-05 12:32:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-05 12:32:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-05 04:53:03 -------- d-----w- C:\Nexon
2010-11-25 05:18:08 9728 ----a-w- c:\windows\Wii DriverLoader.exe
2010-11-25 05:18:08 299008 ----a-w- c:\windows\system32\Projoycpl.dll
2010-11-25 05:18:08 11904 ----a-w- c:\windows\system32\drivers\Maypro.sys
2010-11-25 05:18:08 -------- d-----w- c:\program files\Mayflash Wii Classic Controller Box
2010-11-21 13:38:29 -------- d-----w- c:\docume~1\test\locals~1\applic~1\PunkBuster
2010-11-21 13:30:50 -------- d-----w- c:\docume~1\test\applic~1\id Software
2010-11-21 13:30:34 111928 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-11-21 13:30:25 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-11-21 13:30:25 2373712 ----a-w- c:\windows\system32\pbsvc.exe
2010-11-21 13:30:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\id Software
2010-11-12 09:57:08 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-11-12 09:54:32 62424 ----a-w- c:\windows\system32\drivers\xusb21.sys
2010-11-12 09:54:32 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2010-11-12 09:54:21 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories

==================== Find3M ====================

2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-18 01:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HDT721010SLA360 rev.ST6OA3AA -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8B282555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8b2887b0]; MOV EAX, [0x8b28882c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8B24EAB8]
3 CLASSPNP[0xB8108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000073[0x8B2E0F18]
5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8B2A9940]
\Driver\atapi[0x8B2DF960] -> IRP_MJ_CREATE -> 0x8B282555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HDT721010SLA360_________________ST6OA3AA#5&2ea7e938&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8B28239B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 23:13:29.87 ===============
 
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-05.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 9/8/2009 2:29:20 PM
System Uptime: 12/10/2010 10:54:23 PM (1 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5P43TD PRO
Processor: Intel Pentium III Xeon processor | LGA775 | 2666/333mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 932 GiB total, 686.197 GiB free.
D: is CDROM (CDFS)
E: is CDROM ()
F: is CDROM ()
G: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:
Description:
Device ID: HDAUDIO\FUNC_01&VEN_10DE&DEV_0012&SUBSYS_10DE0101&REV_1001\5&1535133C&0&0001
Manufacturer:
Name:
PNP Device ID: HDAUDIO\FUNC_01&VEN_10DE&DEV_0012&SUBSYS_10DE0101&REV_1001\5&1535133C&0&0001
Service:

Class GUID:
Description:
Device ID: HDAUDIO\FUNC_01&VEN_10DE&DEV_0012&SUBSYS_10DE0101&REV_1001\5&1535133C&0&0101
Manufacturer:
Name:
PNP Device ID: HDAUDIO\FUNC_01&VEN_10DE&DEV_0012&SUBSYS_10DE0101&REV_1001\5&1535133C&0&0101
Service:

Class GUID:
Description:
Device ID: HDAUDIO\FUNC_01&VEN_10DE&DEV_0012&SUBSYS_10DE0101&REV_1001\5&1535133C&0&0301
Manufacturer:
Name:
PNP Device ID: HDAUDIO\FUNC_01&VEN_10DE&DEV_0012&SUBSYS_10DE0101&REV_1001\5&1535133C&0&0301
Service:

==== System Restore Points ===================

RP1: 12/10/2010 10:55:25 PM - System Checkpoint

==== Installed Programs ======================

µTorrent
82TV
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color EU Recommended Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe Community Help
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe Dynamiclink Support
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash CS4
Adobe Flash CS4 Extension - Flash Lite STI en
Adobe Flash CS4 Professional
Adobe Flash CS4 STI-en
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Illustrator CS4
Adobe InDesign CS5
Adobe Linguistics CS4
Adobe Media Encoder CS4
Adobe Media Encoder CS4 Importer
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 9.4.1
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Shockwave Player 11.5
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Akamai NetSession Interface
Amazon MP3 Downloader 1.0.10
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Atheros Communications Inc.(R) AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
Avira AntiVir Personal - Free Antivirus
AviSynth 2.5
BattleMoonWars‹â ‘æŽl•”
Bonjour
Brother MFL-Pro Suite
BurnInTest v5.3 Pro
Camtasia Studio 6
Cheat Engine 5.5
Cheat Engine 5.6
Connect
Continuum 0.40
Counter-Strike: Source
CPUID CPU-Z 1.55
CPUID HWMonitor 1.16
Death Rally for Windows
Definition update for Microsoft Office 2010 (KB982726)
DivX Converter
DivX Plus DirectShow Filters
DivX Setup
DivX Version Checker
EPSON Printer Software
EPU-4 Engine
Facebook Plug-In
FlashGet 1.9.6.1073
Fraps (remove only)
Garena
GGPO
GOM Player
Google Chrome
Google Earth
Google Update Helper
HackTheStack
Half-Life(R) 2
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
iTunes
Java(TM) 6 Update 16
JMicron JMB36X Driver
kuler
League of Legends
M3 SAKURA V1.46 Global (GAME PATCH V4.7g)
Malwarebytes' Anti-Malware
MapleStory
Mayflash Wii Classic Controller Box
Messenger Plus! Live
Messenger_Plus_Live_Australia Toolbar
Metal Gear Solid
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft AppLocale
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 6.2
Microsoft IntelliType Pro 6.2
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Web Components
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Software Update for Web Folders (English) 14
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft Visual Studio 2005 Tools for Applications - ENU
Microsoft Windows Application Compatibility Database
Microsoft Xbox 360 Accessories 1.2
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Mozilla Firefox (3.6.12)
MPEG2 Codec(libmpeg2/mad)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Nexon Game Manager
NVIDIA Drivers
NVIDIA PhysX
Octoshape Streaming Services
PDF Settings CS4
PDF Settings CS5
Photoshop Camera Raw
PhotoView 360
Pixel Bender Toolkit
Poker Night at the Inventory
Portal
PowerISO
Project64 1.6
PunkBuster Services
Quake
Quake II
Quake Live Mozilla Plugin
QuickSFV (Remove only)
QuickTime
Razer Arctosa
Razer DeathAdder(TM) Mouse
Realtek High Definition Audio Driver
SDFormatter
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
SolidWorks 2010 SP02.1
SolidWorks eDrawings 2010
SolidWorks Flow Simulation 2010 SP02.1
Source SDK Base 2006
Spelling Dictionaries Support For Adobe Reader 9
StarCraft II
Steam
Suite Shared Configuration CS4
Switch Sound File Converter
Team Fortress 2
The Ultimate DOOM
Trickster Online
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB GAME PAD
VC80CRTRedist - 8.0.50727.4053
Ventrilo Client
Veoh Web Player
Videora iPod Converter 6
VLC media player 1.0.3
VoiceOver Kit
Vuze
Wacom Tablet
Warkeys 1.14.1.0b
WebFldrs XP
WebTablet IE Plugin
WebTablet Netscape Plugin
Windows Driver Package - Cypress (CYUSB) USB (06/05/2009 3.4.1.20)
Windows Driver Package - Razer (HidUsb) HIDClass (01/11/2007 1.0)
Windows Driver Package - Razer (HidUsb) HIDClass (02/02/2007 1.0.5.0)
Windows Driver Package - Razer (HidUsb) HIDClass (04/04/2009 1.0.5.0)
Windows Imaging Component
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Wolfenstein 3D
XH5222 DSE USB 1.3MP Camera
YouTube Downloader App 3.00

==== Event Viewer Messages From Past Week ========

12/9/2010 10:26:06 PM, error: NetBT [4311] - Initialization failed because the driver device could not be created.
12/9/2010 1:22:20 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
12/9/2010 1:22:20 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/8/2010 9:52:40 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/8/2010 9:11:40 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
12/8/2010 8:18:59 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
12/8/2010 10:25:17 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\spoolsv.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.6024.
12/5/2010 3:27:16 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
12/5/2010 11:29:14 PM, error: Service Control Manager [7034] - The PnkBstrA service terminated unexpectedly. It has done this 1 time(s).
12/3/2010 1:19:15 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
12/10/2010 12:22:58 PM, error: Service Control Manager [7001] - The Computer Browser service depends on the Workstation service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
12/10/2010 10:55:08 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000034' while processing the file '_filelst.cfg' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

==== End Of File ===========================
 
Welcome to TechSpot! I'll help with. the rootkit malware infection I don't know what all the duplicate posts were about, but I need your patience while I'm helping you. I will get you started- your posts is only 3 hours old- then I will leave to help others. After I'm notified of you next reply, I'll get back to you as soon as I can.
======================================
  • Download the file TDSSKiller.zip and save to the desktop.
    (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
  • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
  • Double click on TDSSKiller.exe. to run the scan
  • When the scan is over, the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
  • Select the action Quarantine to quarantine detected objects.
    The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
  • After clicking Next, the utility applies selected actions and outputs the result.
  • A reboot is required after disinfection.
======================================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
======================================
Download Combofix to your desktop from one of these locations:
Link 1
Link 2
  • Double click combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Query- Recovery Console image
    RcAuto1.gif

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    Click to expand...
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes it will open a text window. Please paste that log in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Important!
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry. If you are using any file sharing programs, either uninstall them or disable them while I'm helping you.
 
I'm sorry, but when you say to Quarantine the detected objects in the fifth step of running TDSSKiller, do you mean to "Copy to quarantine"? Just want to absolutely make sure because doing so didn't seem to prompt me to reboot the system. Anyway, I have restarted the system and will move onto the next steps.
 
By the way, I am sorry for the late reply, I had made this thread late last night so I had gotten sleepy by midnight.

I should also mention, Firefox will not run at all, no matter what I do, neither does Google Chrome. I don't mind switching to Internet Explorer, but if the same thing will eventually happen to this browser as well, then I'm worried.
 
I'm sorry again, I'm replying too many times. However, the scans are complete and I now have the logs. First the ESET log and then the one from ComboFix



ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17091 (vista_gdr.100824-1500)
# OnlineScanner.ocx=1.0.0.6415
# api_version=3.0.2
# EOSSerial=2928a1989672b5448d32d87e3e7eb2f0
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-11 09:47:55
# local_time=2010-12-11 08:47:55 (+1000, AUS Eastern Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1797 16775141 100 93 0 27791244 45558 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=179471
# found=9
# cleaned=0
# scan_time=3401
C:\Documents and Settings\Test\Application Data\OpenCandy\33CFA7345F3E43138A948373453D2158\registrybooster(3).exe a variant of Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0003.dta a variant of Win32/Olmarik.ADZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0005.dta Win32/Olmarik.AFK trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0006.dta Win64/Olmarik.G trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0007.dta Win64/Olmarik.A trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0003.dta a variant of Win32/Olmarik.ADZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0005.dta Win32/Olmarik.AFK trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0006.dta Win64/Olmarik.G trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0007.dta Win64/Olmarik.A trojan (unable to clean) 00000000000000000000000000000000 I
 
ComboFix 10-12-09.08 - Test 12/11/2010 20:55:02.4.4 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2556 [GMT 11:00]
Running from: c:\documents and settings\Test\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-11-11 to 2010-12-11 )))))))))))))))))))))))))))))))
.

2010-12-11 08:42 . 2010-12-11 08:42 -------- d-----w- c:\program files\ESET
2010-12-11 08:15 . 2010-12-11 08:15 -------- d-----w- C:\TDSSKiller_Quarantine
2010-12-10 11:52 . 2010-12-10 11:59 -------- d-----w- c:\windows\system32\wbem\Logs
2010-12-10 09:13 . 2010-12-10 09:27 -------- d-----w- c:\windows\system32\NtmsData
2010-12-10 09:12 . 2010-12-10 09:12 -------- d-----w- c:\documents and settings\Test\Application Data\Avira
2010-12-10 09:08 . 2010-11-30 07:48 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-12-10 09:08 . 2010-11-30 07:13 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-12-10 09:08 . 2010-06-17 03:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-12-10 09:08 . 2010-06-17 03:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-12-10 09:08 . 2010-12-10 09:08 -------- d-----w- c:\program files\Avira
2010-12-10 09:08 . 2010-12-10 09:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-12-09 02:22 . 2010-12-09 02:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-12-08 01:14 . 2010-12-08 01:14 83249512 ----a-w- c:\program files\Common Files\Windows Live\.cache\wlc7B.tmp
2010-12-05 12:32 . 2010-11-29 06:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-05 12:32 . 2010-12-05 12:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-05 12:32 . 2010-11-29 06:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-05 04:53 . 2010-12-05 04:53 -------- d-----w- C:\Nexon
2010-11-25 05:18 . 2010-11-25 05:18 -------- d-----w- c:\program files\Mayflash Wii Classic Controller Box
2010-11-25 05:18 . 2009-12-10 09:54 11904 ----a-w- c:\windows\system32\drivers\Maypro.sys
2010-11-25 05:18 . 2009-12-08 11:04 299008 ----a-w- c:\windows\system32\Projoycpl.dll
2010-11-25 05:18 . 2009-12-07 11:02 9728 ----a-w- c:\windows\Wii DriverLoader.exe
2010-11-21 13:38 . 2010-11-21 13:38 -------- d-----w- c:\documents and settings\Test\Local Settings\Application Data\PunkBuster
2010-11-21 13:30 . 2010-11-21 13:30 -------- d-----w- c:\documents and settings\Test\Application Data\id Software
2010-11-21 13:30 . 2010-11-21 13:30 111928 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-11-21 13:30 . 2010-11-21 13:30 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-11-21 13:30 . 2010-11-21 13:30 2373712 ----a-w- c:\windows\system32\pbsvc.exe
2010-11-21 13:30 . 2010-11-21 13:30 -------- d-----w- c:\documents and settings\All Users\Application Data\id Software
2010-11-12 09:57 . 2008-03-21 02:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-11-12 09:54 . 2009-09-10 01:24 62424 ----a-w- c:\windows\system32\drivers\xusb21.sys
2010-11-12 09:54 . 2009-08-14 05:40 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2010-11-12 09:54 . 2010-11-12 09:54 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 06:53 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 12:00 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-18 01:23 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-12-09_11.54.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-11 08:20 . 2010-12-11 08:20 16384 c:\windows\Temp\Perflib_Perfdata_734.dat
+ 2010-12-11 08:20 . 2010-12-11 08:20 16384 c:\windows\Temp\Perflib_Perfdata_2e8.dat
- 2010-06-16 03:35 . 2010-12-07 08:55 15019 c:\windows\system32\Wacom_Tablet.dat
+ 2010-06-16 03:35 . 2010-12-10 07:58 15019 c:\windows\system32\Wacom_Tablet.dat
+ 2004-08-04 12:00 . 2010-12-11 08:24 68360 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2010-12-09 11:46 68360 c:\windows\system32\perfc009.dat
+ 2010-12-10 09:08 . 2010-06-17 03:27 28520 c:\windows\system32\drivers\ssmdrv.sys
- 2004-08-04 12:00 . 2010-12-09 11:46 435590 c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2010-12-11 08:24 435590 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ea0969b3-6e12-4ac0-b6c9-148e81247954}"= "c:\program files\Messenger_Plus_Live_Australia\tbMes1.dll" [2010-07-12 2515552]

[HKEY_CLASSES_ROOT\clsid\{ea0969b3-6e12-4ac0-b6c9-148e81247954}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-05-26 05:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ea0969b3-6e12-4ac0-b6c9-148e81247954}]
2010-07-12 04:08 2515552 ----a-w- c:\program files\Messenger_Plus_Live_Australia\tbMes1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ea0969b3-6e12-4ac0-b6c9-148e81247954}"= "c:\program files\Messenger_Plus_Live_Australia\tbMes1.dll" [2010-07-12 2515552]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{ea0969b3-6e12-4ac0-b6c9-148e81247954}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EA0969B3-6E12-4AC0-B6C9-148E81247954}"= "c:\program files\Messenger_Plus_Live_Australia\tbMes1.dll" [2010-07-12 2515552]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{ea0969b3-6e12-4ac0-b6c9-148e81247954}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bluebirds"="c:\documents and settings\Test\Bluebirds\BlueBirds.exe" [2009-04-29 270336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-27 17567744]
"Six Engine"="c:\program files\ASUS\EPU-4 Engine\FourEngine.exe" [2009-05-15 5750272]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-12 69632]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 663552]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-10 149280]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-12-20 611712]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-03-14 233472]
"EPSON Stylus C45 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE" [2004-01-13 99840]
"snp2std"="c:\windows\vsnp2std.exe" [2006-12-04 675840]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-06-13 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-06-13 13917800]
"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2010-05-05 251392]
"Arctosa"="c:\program files\Razer\Arctosa\razerhid.exe" [2008-10-06 147456]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-23 421160]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-05 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-21 406992]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-10-01 718688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-30 281768]

c:\documents and settings\Test\Start Menu\Programs\Startup\
Warkeys Update.lnk - c:\program files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe [2009-5-4 244736]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\zeromk5\\team fortress 2\\hl2.exe"=
"c:\\Riot Games\\League of Legends\\air\\LolClient.exe"=
"c:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\GGPO\\ggpo.exe"=
"c:\\Documents and Settings\\Test\\Local Settings\\Apps\\2.0\\7206VM5L.Z3H\\3P1Z7W00.77Z\\supe..tion_d6c7c0f5010e61b8_0001.0000_4482eb9aaee5b72a\\SupercadeClient.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\zeromk5\\team fortress 2 meet the scout\\smp.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\zeromk5\\team fortress 2 meet the spy\\smp.exe"=
"c:\\Documents and Settings\\Test\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\quake\\Winquake.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\quake\\qwcl.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\quake\\Glquake.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\quake\\glqwcl.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\quake 2\\quake2.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\poker night at the inventory\\CelebrityPoker.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"8376:TCP"= 8376:TCP:League of Legends Launcher
"8376:UDP"= 8376:UDP:League of Legends Launcher
"8377:TCP"= 8377:TCP:League of Legends Launcher
"8377:UDP"= 8377:UDP:League of Legends Launcher
"1039:TCP"= 1039:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 11:00 PM 14336]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/10/2010 8:08 PM 135336]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [8/4/2010 11:48 PM 20072]
R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [8/1/2010 3:13 AM 20328]
R2 Remote Solver for Flow Simulation 2010;Remote Solver for Flow Simulation 2010;c:\program files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe [11/23/2009 8:48 PM 71464]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [6/12/2010 7:14 PM 5010288]
R3 ArcFltr;Arctosa Keyboard;c:\windows\system32\drivers\Arctosa.sys [8/11/2010 9:58 PM 16896]
R3 danewFltr;NewDeathAdder Mouse;c:\windows\system32\drivers\danew.sys [4/25/2010 5:39 PM 11136]
R3 vHidDev;Razer Gaming Device;c:\windows\system32\drivers\vHidDev.sys [4/25/2010 5:39 PM 5760]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/4/2009 6:11 PM 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/8/2009 3:54 PM 1684736]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [1/20/2010 1:59 AM 87336]
S3 DVDACCSS;DVDACCSS;\??\c:\progra~1\DVDACC~1\DVDAX.SYS --> c:\progra~1\DVDACC~1\DVDAX.SYS [?]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Test\LOCALS~1\Temp\NFM61.tmp --> c:\docume~1\Test\LOCALS~1\Temp\NFM61.tmp [?]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\Garena\safedrv.sys --> c:\program files\Garena\safedrv.sys [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [1/21/2010 5:51 PM 30963576]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [6/12/2010 6:37 PM 16168]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 8:01 AM 2799808]

--- Other Services/Drivers In Memory ---

*Deregistered* - klmd25

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-12-10 c:\windows\Tasks\AdobeAAMUpdater-1.0-TEST-8DA2FE6C8B-Test.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-11-09 16:44]

2010-12-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 01:34]

2010-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-04 07:11]

2010-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-04 07:11]

2010-12-11 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 05:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MI1933~1\Office14\ONBttnIE.dll/105
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\documents and settings\Test\Application Data\Mozilla\Firefox\Profiles\91f8333l.default\
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Test\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Test\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\progra~1\MI1933~1\Office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\MI1933~1\Office14\NPSPWRAP.DLL
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\TabletPlugins\npwacom.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: Flash Video Downloader - Youtube Downloader: artur.dubovoy@gmail.com - c:\documents and settings\Test\Application Data\Mozilla\Firefox\Profiles\91f8333l.default\extensions\artur.dubovoy@gmail.com
FF - Extension: Personas: personas@christopher.beard - c:\documents and settings\Test\Application Data\Mozilla\Firefox\Profiles\91f8333l.default\extensions\personas@christopher.beard
FF - Extension: Veoh Video Compass: searchrecs@veoh.com - c:\documents and settings\Test\Application Data\Mozilla\Firefox\Profiles\91f8333l.default\extensions\searchrecs@veoh.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-11 20:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\Test\LOCALS~1\Temp\NFM61.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(2296)
c:\windows\system32\WININET.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MI1933~1\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-12-11 21:00:36
ComboFix-quarantined-files.txt 2010-12-11 10:00
ComboFix2.txt 2010-12-10 08:37
ComboFix3.txt 2010-12-09 11:57
ComboFix4.txt 2009-10-06 10:36

Pre-Run: 736,450,699,264 bytes free
Post-Run: 736,577,126,400 bytes free

- - End Of File - - 806B384599923122A3ABD635798D9C83
 
Regarding the use of Quarantine/remove/delete
  1. :
  2. TDSSKiller: # The utility automatically selects an action (Cure or Delete) for malicious objects.
    [*]The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    [*]Select the action Quarantine to quarantine detected objects.
    [*]The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43


Regarding the Eset scan:
  1. "Remove found threats"
  1. is Unchecked,
    [*]"Scan unwanted applications" is checked
    [*] Click Start
    [o] Make sure that the option     and the option
    [o] Click Scanlist]
    =============================================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code: 
      :Processes	
:Files  
C:\Documents and Settings\Test\Application Data\OpenCandy\33CFA7345F3E43138A948373453D2158\registrybooster(3).exe 
C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0003.dta 
C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0005.dta 
C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0006.dta 
C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0007.dta 
C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0003.dta 
C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0005.dta 
C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0006.dta 
C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0007.dta 
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.[/QUOTE]

    An example: each of the entries above showed (unable to clean) as in:
    C:\Documents and Settings\Test\Application Data\OpenCandy\33CFA7345F3E43138A948373453D2158\registrybooster(3).exe

    The line I was referring to in the instructions says:
    Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked So it shouldn't say 'unable to clean' if you didn't check the line and ask it to clean!
    ===============================================
 
Thanks again for the reply. Here's the log.


All processes killed
========== PROCESSES ==========
========== FILES ==========
C:\Documents and Settings\Test\Application Data\OpenCandy\33CFA7345F3E43138A948373453D2158\registrybooster(3).exe moved successfully.
C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0003.dta moved successfully.
C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0005.dta moved successfully.
C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0006.dta moved successfully.
C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0007.dta moved successfully.
C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0003.dta moved successfully.
C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0005.dta moved successfully.
C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0006.dta moved successfully.
C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0007.dta moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 786499 bytes
->Flash cache emptied: 965 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 2217 bytes

User: Test
->Temp folder emptied: 671185 bytes
->Temporary Internet Files folder emptied: 302357964 bytes
->FireFox cache emptied: 118420060 bytes
->Google Chrome cache emptied: 8752866 bytes
->Flash cache emptied: 18189 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 3127829 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16798 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 414.00 mb


OTM by OldTimer - Version 3.1.17.2 log created on 12122010_163019

Files moved on Reboot...
File C:\WINDOWS\temp\Perflib_Perfdata_2f4.dat not found!

Registry entries deleted on Reboot...
 
I think I should also mention, Firefox seems to work fine again, and I haven't run into any of the problems I mentioned in my very first post, such as the webhp redirection, or the generic host processes error. Is it all truly fixed?
 
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines.
Code: 
File::
c:\program files\Common Files\Windows Live\.cache\wlc7B.tmp
"c:\\Program Files\\Vuze\\Azureus.exe"=
c:\progra~1\DVDACC~1\DVDAX.SYS
c:\program files\Garena\safedrv.sys
Folder::
C:\TDSSKiller_Quarantine

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
c:\\Program Files\\uTorrent\\uTorrent.exe"=-
c:\\Program Files\\Vuze\\Azureus.exe"=--
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"=--
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"=-
Driver::
DVDACCSS=-
GarenaPEngine
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
===============================================================
Please go to Add/Remove Programs in the Control Panel and remove any entry for Askbar, Ask.com.
Go to Startup and take same entries off.
Use Windows explorer> My Computer> Local Drive> Programs> right click> Delete on any "Ask" folders.

You are doing a great deal of file sharing. As long as you continue to do that, you will get malware.

Download HijackThis and save to your desktop.
  • Extract it to a directory on your hard drive called c:\HijackThis.
  • Then navigate to that directory and double-click on the hijackthis.exe file.
  • When started click on the Scan button and then the Save Log button to create a log of your information.
  • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
 
Thanks again, here is the log obtained from ComboFix



ComboFix 10-12-12.03 - Test 12/13/2010 19:58:15.5.4 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2734 [GMT 11:00]
Running from: c:\documents and settings\Test\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Test\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\\Program Files\\Vuze\\Azureus.exe="
"c:\progra~1\DVDACC~1\DVDAX.SYS"
"c:\program files\Common Files\Windows Live\.cache\wlc7B.tmp"
"c:\program files\Garena\safedrv.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\Windows Live\.cache\wlc7B.tmp
C:\TDSSKiller_Quarantine
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\mbr0000\object.ini
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\mbr0000\tsk0000.dta
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\mbr0000\tsk0000.ini
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\object.ini
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\object.ini
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0000.dta
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0000.ini
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0001.dta
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0001.ini
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0002.dta
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0002.ini
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0003.ini
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0004.dta
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0004.ini
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0005.ini
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0006.ini
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0007.ini
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\mbr0000\object.ini
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\mbr0000\tsk0000.dta
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\mbr0000\tsk0000.ini
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\object.ini
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\object.ini
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0000.dta
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0000.ini
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0001.dta
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0001.ini
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0002.dta
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0002.ini
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0003.ini
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0004.dta
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0004.ini
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0005.ini
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0006.ini
c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0007.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GARENAPENGINE
-------\Service_GarenaPEngine


((((((((((((((((((((((((( Files Created from 2010-11-13 to 2010-12-13 )))))))))))))))))))))))))))))))
.

2010-12-12 08:09 . 2010-12-12 08:09 -------- d-----w- c:\windows\system32\QuickTime
2010-12-12 08:09 . 2010-12-12 08:09 -------- d-----w- c:\program files\Common Files\TechSmith Shared
2010-12-12 08:09 . 2010-12-12 08:09 -------- d-----w- c:\program files\TechSmith
2010-12-12 05:30 . 2010-12-12 05:30 -------- d-----w- C:\_OTM
2010-12-11 08:42 . 2010-12-11 08:42 -------- d-----w- c:\program files\ESET
2010-12-10 11:52 . 2010-12-12 08:07 -------- d-----w- c:\windows\system32\wbem\Logs
2010-12-10 09:13 . 2010-12-10 09:27 -------- d-----w- c:\windows\system32\NtmsData
2010-12-10 09:12 . 2010-12-10 09:12 -------- d-----w- c:\documents and settings\Test\Application Data\Avira
2010-12-10 09:08 . 2010-11-30 07:48 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-12-10 09:08 . 2010-11-30 07:13 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-12-10 09:08 . 2010-06-17 03:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-12-10 09:08 . 2010-06-17 03:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-12-10 09:08 . 2010-12-10 09:08 -------- d-----w- c:\program files\Avira
2010-12-10 09:08 . 2010-12-10 09:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-12-09 02:22 . 2010-12-09 02:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-12-05 12:32 . 2010-11-29 06:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-05 12:32 . 2010-12-05 12:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-05 12:32 . 2010-11-29 06:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-05 04:53 . 2010-12-05 04:53 -------- d-----w- C:\Nexon
2010-11-25 05:18 . 2010-11-25 05:18 -------- d-----w- c:\program files\Mayflash Wii Classic Controller Box
2010-11-25 05:18 . 2009-12-10 09:54 11904 ----a-w- c:\windows\system32\drivers\Maypro.sys
2010-11-25 05:18 . 2009-12-08 11:04 299008 ----a-w- c:\windows\system32\Projoycpl.dll
2010-11-25 05:18 . 2009-12-07 11:02 9728 ----a-w- c:\windows\Wii DriverLoader.exe
2010-11-21 13:38 . 2010-11-21 13:38 -------- d-----w- c:\documents and settings\Test\Local Settings\Application Data\PunkBuster
2010-11-21 13:30 . 2010-11-21 13:30 -------- d-----w- c:\documents and settings\Test\Application Data\id Software
2010-11-21 13:30 . 2010-11-21 13:30 111928 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-11-21 13:30 . 2010-11-21 13:30 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-11-21 13:30 . 2010-11-21 13:30 2373712 ----a-w- c:\windows\system32\pbsvc.exe
2010-11-21 13:30 . 2010-11-21 13:30 -------- d-----w- c:\documents and settings\All Users\Application Data\id Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 06:53 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 12:00 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-18 01:23 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-12-09_11.54.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-13 09:05 . 2010-12-13 09:05 16384 c:\windows\Temp\Perflib_Perfdata_5e8.dat
+ 2010-12-13 09:05 . 2010-12-13 09:05 16384 c:\windows\Temp\Perflib_Perfdata_100.dat
+ 2010-06-16 03:35 . 2010-12-10 07:58 15019 c:\windows\system32\Wacom_Tablet.dat
- 2010-06-16 03:35 . 2010-12-07 08:55 15019 c:\windows\system32\Wacom_Tablet.dat
- 2004-08-04 12:00 . 2010-12-09 11:46 68360 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-12-13 08:36 68360 c:\windows\system32\perfc009.dat
+ 2010-12-10 09:08 . 2010-06-17 03:27 28520 c:\windows\system32\drivers\ssmdrv.sys
+ 2010-07-19 04:33 . 2010-07-19 04:33 594944 c:\windows\system32\tsccvid.dll
- 2004-08-04 12:00 . 2010-12-09 11:46 435590 c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2010-12-13 08:36 435590 c:\windows\system32\perfh009.dat
+ 2010-12-12 08:09 . 2010-12-12 08:09 680448 c:\windows\Installer\{49471DB8-7F3C-42DB-89C2-AC50FA0C5290}\IconEF5C48881.exe
+ 2001-09-05 10:00 . 2001-09-05 10:00 1700352 c:\windows\system32\gdiplus.dll
- 2001-09-05 11:00 . 2001-09-05 11:00 1700352 c:\windows\system32\gdiplus.dll
+ 2010-12-12 08:09 . 2010-12-12 08:09 17410048 c:\windows\Installer\8d8f1e.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ea0969b3-6e12-4ac0-b6c9-148e81247954}"= "c:\program files\Messenger_Plus_Live_Australia\tbMes1.dll" [2010-07-12 2515552]

[HKEY_CLASSES_ROOT\clsid\{ea0969b3-6e12-4ac0-b6c9-148e81247954}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-05-26 05:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ea0969b3-6e12-4ac0-b6c9-148e81247954}]
2010-07-12 04:08 2515552 ----a-w- c:\program files\Messenger_Plus_Live_Australia\tbMes1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ea0969b3-6e12-4ac0-b6c9-148e81247954}"= "c:\program files\Messenger_Plus_Live_Australia\tbMes1.dll" [2010-07-12 2515552]

[HKEY_CLASSES_ROOT\clsid\{ea0969b3-6e12-4ac0-b6c9-148e81247954}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EA0969B3-6E12-4AC0-B6C9-148E81247954}"= "c:\program files\Messenger_Plus_Live_Australia\tbMes1.dll" [2010-07-12 2515552]

[HKEY_CLASSES_ROOT\clsid\{ea0969b3-6e12-4ac0-b6c9-148e81247954}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bluebirds"="c:\documents and settings\Test\Bluebirds\BlueBirds.exe" [2009-04-29 270336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-27 17567744]
"Six Engine"="c:\program files\ASUS\EPU-4 Engine\FourEngine.exe" [2009-05-15 5750272]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-12 69632]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 663552]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-10 149280]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-12-20 611712]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-03-14 233472]
"EPSON Stylus C45 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE" [2004-01-13 99840]
"snp2std"="c:\windows\vsnp2std.exe" [2006-12-04 675840]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-06-13 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-06-13 13917800]
"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2010-05-05 251392]
"Arctosa"="c:\program files\Razer\Arctosa\razerhid.exe" [2008-10-06 147456]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-23 421160]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-05 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-21 406992]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-10-01 718688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-30 281768]

c:\documents and settings\Test\Start Menu\Programs\Startup\
Warkeys Update.lnk - c:\program files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe [2009-5-4 244736]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\zeromk5\\team fortress 2\\hl2.exe"=
"c:\\Riot Games\\League of Legends\\air\\LolClient.exe"=
"c:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\GGPO\\ggpo.exe"=
"c:\\Documents and Settings\\Test\\Local Settings\\Apps\\2.0\\7206VM5L.Z3H\\3P1Z7W00.77Z\\supe..tion_d6c7c0f5010e61b8_0001.0000_4482eb9aaee5b72a\\SupercadeClient.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\zeromk5\\team fortress 2 meet the scout\\smp.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\zeromk5\\team fortress 2 meet the spy\\smp.exe"=
"c:\\Documents and Settings\\Test\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\quake\\Winquake.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\quake\\qwcl.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\quake\\Glquake.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\quake\\glqwcl.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\quake 2\\quake2.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\poker night at the inventory\\CelebrityPoker.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"8376:TCP"= 8376:TCP:League of Legends Launcher
"8376:UDP"= 8376:UDP:League of Legends Launcher
"8377:TCP"= 8377:TCP:League of Legends Launcher
"8377:UDP"= 8377:UDP:League of Legends Launcher
"1038:TCP"= 1038:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 11:00 PM 14336]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/10/2010 8:08 PM 135336]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [8/4/2010 11:48 PM 20072]
R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [8/1/2010 3:13 AM 20328]
R2 Remote Solver for Flow Simulation 2010;Remote Solver for Flow Simulation 2010;c:\program files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe [11/23/2009 8:48 PM 71464]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [6/12/2010 7:14 PM 5010288]
R3 ArcFltr;Arctosa Keyboard;c:\windows\system32\drivers\Arctosa.sys [8/11/2010 9:58 PM 16896]
R3 danewFltr;NewDeathAdder Mouse;c:\windows\system32\drivers\danew.sys [4/25/2010 5:39 PM 11136]
R3 vHidDev;Razer Gaming Device;c:\windows\system32\drivers\vHidDev.sys [4/25/2010 5:39 PM 5760]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/4/2009 6:11 PM 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/8/2009 3:54 PM 1684736]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [1/20/2010 1:59 AM 87336]
S3 DVDACCSS;DVDACCSS;\??\c:\progra~1\DVDACC~1\DVDAX.SYS --> c:\progra~1\DVDACC~1\DVDAX.SYS [?]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\Garena\safedrv.sys --> c:\program files\Garena\safedrv.sys [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [1/21/2010 5:51 PM 30963576]
S3 npggsvc;nProtect GameGuard Service; [x]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [6/12/2010 6:37 PM 16168]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 8:01 AM 2799808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-12-12 c:\windows\Tasks\AdobeAAMUpdater-1.0-TEST-8DA2FE6C8B-Test.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-11-09 16:44]

2010-12-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 01:34]

2010-12-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-04 07:11]

2010-12-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-04 07:11]

2010-12-12 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 05:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MI1933~1\Office14\ONBttnIE.dll/105
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\documents and settings\Test\Application Data\Mozilla\Firefox\Profiles\91f8333l.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Flash Video Downloader - Youtube Downloader: artur.dubovoy@gmail.com - %profile%\extensions\artur.dubovoy@gmail.com
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
FF - Ext: Veoh Video Compass: searchrecs@veoh.com - %profile%\extensions\searchrecs@veoh.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-13 20:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(1384)
c:\windows\system32\WININET.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MI1933~1\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\RTHDCPL.EXE
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\WTablet\Wacom_TabletUser.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Razer\DeathAdder\razerofa.exe
c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2010-12-13 20:10:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-13 09:10
ComboFix2.txt 2010-12-11 10:00
ComboFix3.txt 2010-12-10 08:37
ComboFix4.txt 2010-12-09 11:57
ComboFix5.txt 2010-12-13 08:56

Pre-Run: 735,013,687,296 bytes free
Post-Run: 734,872,268,800 bytes free

- - End Of File - - 7F4CAF382E7F954350DC2020B75EECEB
 
And this would be the HijackThis log.



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:15:56 PM, on 12/13/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17091)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Razer\Arctosa\razerhid.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Messenger Plus Live Australia Toolbar - {ea0969b3-6e12-4ac0-b6c9-148e81247954} - C:\Program Files\Messenger_Plus_Live_Australia\tbMes1.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office14\GROOVEEX.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MI1933~1\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Messenger Plus Live Australia Toolbar - {ea0969b3-6e12-4ac0-b6c9-148e81247954} - C:\Program Files\Messenger_Plus_Live_Australia\tbMes1.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Messenger Plus Live Australia Toolbar - {ea0969b3-6e12-4ac0-b6c9-148e81247954} - C:\Program Files\Messenger_Plus_Live_Australia\tbMes1.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Six Engine] "C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe" -r
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB002" /M "Stylus C45"
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe
O4 - HKLM\..\Run: [Arctosa] "C:\Program Files\Razer\Arctosa\razerhid.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [bluebirds] C:\Documents and Settings\Test\Bluebirds\BlueBirds.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Warkeys Update.lnk = C:\Program Files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MI1933~1\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: SW Distributed TS Coordinator Service (CoordinatorServiceHost) - Dassault Systèmes SolidWorks Corp. - C:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Solver for Flow Simulation 2010 - Mentor Graphics Corporation - C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe

--
End of file - 12575 bytes
 
Looking good! Just 2 processes left to remove: But I want to do one more short scan to be sure the MBR is clean:

Download bootkitremover.rar and save it to your desktop.
  • Extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip
  • Double-click on the remover.exe file to run the program.
  • Paste the output in your next reply.
==================================================
Please run this Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code: 
File::
c:\program files\Ask.com\GenericAskToolbar.dll
Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
Driver::
npggsvc
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt . No log needed unless problems persist.
====================
Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin
Let me know if you have any more questions.
=============================================
A recommendation: Someday, when you have extra time, review all the processes you have starting on boot. Understand that the only processes that need to start on boot are the antivirus program, firewall if you have 3rd party FW, process for touchpad if on a laptop and network process is using something like Pure Magic.

Almost everything that starts on boot will continue to run in the background. After you surf for a while and pick up those temporary internet files, the system is going to slow down with all the 'weight'. And many Services can be set to Manual Startup type and do not need to automatically start. Review best Service settings on Black Viper's site: http://www.blackviper.com/WinXP/servicecfg.htm

Have a Happy and Peaceful Holiday!
peace_dove_bigger_normal.jpg
 
Thank you very much for bearing with me this whole time. I have received the log from running remover.exe so I will paste it here.




.\debug.cpp(238) : Debug log started at 15.12.2010 - 15:28:37
.\boot_cleaner.cpp(527) : Bootkit Remover
.\boot_cleaner.cpp(528) : (c) 2009 eSage Lab
.\boot_cleaner.cpp(529) : www.esagelab.com
.\boot_cleaner.cpp(533) : Program version: 1.2.0.0
.\boot_cleaner.cpp(540) : OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
.\debug.cpp(248) : **********************************************
.\debug.cpp(249) : *** [ LOADED MODULES INFORMATION ] ***********
.\debug.cpp(250) : **********************************************
.\debug.cpp(256) : 0x804d7000 0x0020d000 "\WINDOWS\system32\ntkrnlpa.exe"
.\debug.cpp(256) : 0x806e4000 0x00020d00 "\WINDOWS\system32\hal.dll"
.\debug.cpp(256) : 0xb85a8000 0x00002000 "\WINDOWS\system32\KDCOM.DLL"
.\debug.cpp(256) : 0xb84b8000 0x00003000 "\WINDOWS\system32\BOOTVID.dll"
.\debug.cpp(256) : 0xb7f79000 0x0002e000 "ACPI.sys"
.\debug.cpp(256) : 0xb85aa000 0x00002000 "\WINDOWS\system32\DRIVERS\WMILIB.SYS"
.\debug.cpp(256) : 0xb7f68000 0x00011000 "pci.sys"
.\debug.cpp(256) : 0xb80a8000 0x00009000 "isapnp.sys"
.\debug.cpp(256) : 0xb80b8000 0x00010000 "ohci1394.sys"
.\debug.cpp(256) : 0xb80c8000 0x0000e000 "\WINDOWS\system32\DRIVERS\1394BUS.SYS"
.\debug.cpp(256) : 0xb8670000 0x00001000 "pciide.sys"
.\debug.cpp(256) : 0xb8328000 0x00007000 "\WINDOWS\system32\DRIVERS\PCIIDEX.SYS"
.\debug.cpp(256) : 0xb80d8000 0x0000b000 "MountMgr.sys"
.\debug.cpp(256) : 0xb7f49000 0x0001f000 "ftdisk.sys"
.\debug.cpp(256) : 0xb8330000 0x00005000 "PartMgr.sys"
.\debug.cpp(256) : 0xb80e8000 0x0000d000 "VolSnap.sys"
.\debug.cpp(256) : 0xb7f31000 0x00018000 "atapi.sys"
.\debug.cpp(256) : 0xb7f18000 0x00019000 "jraid.sys"
.\debug.cpp(256) : 0xb7f00000 0x00018000 "\WINDOWS\system32\DRIVERS\SCSIPORT.SYS"
.\debug.cpp(256) : 0xb80f8000 0x00009000 "disk.sys"
.\debug.cpp(256) : 0xb8108000 0x0000d000 "\WINDOWS\system32\DRIVERS\CLASSPNP.SYS"
.\debug.cpp(256) : 0xb7ee0000 0x00020000 "fltmgr.sys"
.\debug.cpp(256) : 0xb7ece000 0x00012000 "sr.sys"
.\debug.cpp(256) : 0xb8118000 0x0000a000 "PxHelp20.sys"
.\debug.cpp(256) : 0xb7eb7000 0x00017000 "KSecDD.sys"
.\debug.cpp(256) : 0xb7e2a000 0x0008d000 "Ntfs.sys"
.\debug.cpp(256) : 0xb7dfd000 0x0002d000 "NDIS.sys"
.\debug.cpp(256) : 0xb7de3000 0x0001a000 "Mup.sys"
.\debug.cpp(256) : 0xb81b8000 0x00009000 "\SystemRoot\system32\DRIVERS\intelppm.sys"
.\debug.cpp(256) : 0xb6c39000 0x00a1c000 "\SystemRoot\system32\DRIVERS\nv4_mini.sys"
.\debug.cpp(256) : 0xb6c25000 0x00014000 "\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS"
.\debug.cpp(256) : 0xb6bfd000 0x00028000 "\SystemRoot\system32\DRIVERS\HDAudBus.sys"
.\debug.cpp(256) : 0xb84a8000 0x00006000 "\SystemRoot\system32\DRIVERS\usbuhci.sys"
.\debug.cpp(256) : 0xb6bd9000 0x00024000 "\SystemRoot\system32\DRIVERS\USBPORT.SYS"
.\debug.cpp(256) : 0xb84b0000 0x00008000 "\SystemRoot\system32\DRIVERS\usbehci.sys"
.\debug.cpp(256) : 0xb81c8000 0x00010000 "\SystemRoot\system32\DRIVERS\nic1394.sys"
.\debug.cpp(256) : 0xb81d8000 0x0000e000 "\SystemRoot\system32\DRIVERS\l1e51x86.sys"
.\debug.cpp(256) : 0xb6bc5000 0x00014000 "\SystemRoot\system32\DRIVERS\parport.sys"
.\debug.cpp(256) : 0xb85f8000 0x00002000 "\SystemRoot\system32\DRIVERS\ASACPI.sys"
.\debug.cpp(256) : 0xb81e8000 0x00010000 "\SystemRoot\system32\DRIVERS\serial.sys"
.\debug.cpp(256) : 0xb7c85000 0x00004000 "\SystemRoot\system32\DRIVERS\serenum.sys"
.\debug.cpp(256) : 0xb81f8000 0x0000b000 "\SystemRoot\system32\DRIVERS\imapi.sys"
.\debug.cpp(256) : 0xb8208000 0x00010000 "\SystemRoot\system32\DRIVERS\cdrom.sys"
.\debug.cpp(256) : 0xb8218000 0x0000f000 "\SystemRoot\system32\DRIVERS\redbook.sys"
.\debug.cpp(256) : 0xb6ba2000 0x00023000 "\SystemRoot\system32\DRIVERS\ks.sys"
.\debug.cpp(256) : 0xb8390000 0x00006000 "\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys"
.\debug.cpp(256) : 0xb7675000 0x00003000 "\SystemRoot\system32\DRIVERS\wacomvhid.sys"
.\debug.cpp(256) : 0xb8228000 0x00009000 "\SystemRoot\system32\DRIVERS\HIDCLASS.SYS"
.\debug.cpp(256) : 0xb83a0000 0x00007000 "\SystemRoot\system32\DRIVERS\HIDPARSE.SYS"
.\debug.cpp(256) : 0xb870f000 0x00001000 "\SystemRoot\system32\DRIVERS\audstub.sys"
.\debug.cpp(256) : 0xb8238000 0x0000d000 "\SystemRoot\system32\DRIVERS\rasl2tp.sys"
.\debug.cpp(256) : 0xb766d000 0x00003000 "\SystemRoot\system32\DRIVERS\ndistapi.sys"
.\debug.cpp(256) : 0xb6b8b000 0x00017000 "\SystemRoot\system32\DRIVERS\ndiswan.sys"
.\debug.cpp(256) : 0xb8248000 0x0000b000 "\SystemRoot\system32\DRIVERS\raspppoe.sys"
.\debug.cpp(256) : 0xb8258000 0x0000c000 "\SystemRoot\system32\DRIVERS\raspptp.sys"
.\debug.cpp(256) : 0xb83c0000 0x00005000 "\SystemRoot\system32\DRIVERS\TDI.SYS"
.\debug.cpp(256) : 0xb6b7a000 0x00011000 "\SystemRoot\system32\DRIVERS\psched.sys"
.\debug.cpp(256) : 0xb8268000 0x00009000 "\SystemRoot\system32\DRIVERS\msgpc.sys"
.\debug.cpp(256) : 0xb83d0000 0x00005000 "\SystemRoot\system32\DRIVERS\ptilink.sys"
.\debug.cpp(256) : 0xb83e0000 0x00005000 "\SystemRoot\system32\DRIVERS\raspti.sys"
.\debug.cpp(256) : 0xb85fc000 0x00002000 "\SystemRoot\system32\DRIVERS\vHidDev.sys"
.\debug.cpp(256) : 0xb8278000 0x0000a000 "\SystemRoot\system32\DRIVERS\termdd.sys"
.\debug.cpp(256) : 0xb83e8000 0x00006000 "\SystemRoot\system32\DRIVERS\kbdclass.sys"
.\debug.cpp(256) : 0xb83f0000 0x00006000 "\SystemRoot\system32\DRIVERS\mouclass.sys"
.\debug.cpp(256) : 0xb8602000 0x00002000 "\SystemRoot\system32\DRIVERS\swenum.sys"
.\debug.cpp(256) : 0xb6b1c000 0x0005e000 "\SystemRoot\system32\DRIVERS\update.sys"
.\debug.cpp(256) : 0xb7659000 0x00004000 "\SystemRoot\system32\DRIVERS\mssmbios.sys"
.\debug.cpp(256) : 0xb8288000 0x0000f000 "\SystemRoot\system32\DRIVERS\usbhub.sys"
.\debug.cpp(256) : 0xb8608000 0x00002000 "\SystemRoot\system32\DRIVERS\USBD.SYS"
.\debug.cpp(256) : 0xb854c000 0x00003000 "\SystemRoot\system32\DRIVERS\mouhid.sys"
.\debug.cpp(256) : 0xb8408000 0x00008000 "\SystemRoot\system32\DRIVERS\wacommousefilter.sys"
.\debug.cpp(256) : 0xb8298000 0x0000a000 "\SystemRoot\System32\Drivers\NDProxy.SYS"
.\debug.cpp(256) : 0xb8578000 0x00004000 "\SystemRoot\system32\DRIVERS\kbdhid.sys"
.\debug.cpp(256) : 0xb4336000 0x00626000 "\SystemRoot\system32\drivers\RtkHDAud.sys"
.\debug.cpp(256) : 0xb4312000 0x00024000 "\SystemRoot\system32\drivers\portcls.sys"
.\debug.cpp(256) : 0xb82b8000 0x0000f000 "\SystemRoot\system32\drivers\drmk.sys"
.\debug.cpp(256) : 0xb8614000 0x00002000 "\SystemRoot\System32\Drivers\Fs_Rec.SYS"
.\debug.cpp(256) : 0xb87ca000 0x00001000 "\SystemRoot\System32\Drivers\Null.SYS"
.\debug.cpp(256) : 0xb8618000 0x00002000 "\SystemRoot\System32\Drivers\Beep.SYS"
.\debug.cpp(256) : 0xb8458000 0x00006000 "\SystemRoot\System32\drivers\vga.sys"
.\debug.cpp(256) : 0xb861c000 0x00002000 "\SystemRoot\System32\Drivers\mnmdd.SYS"
.\debug.cpp(256) : 0xb8620000 0x00002000 "\SystemRoot\System32\DRIVERS\RDPCDD.sys"
.\debug.cpp(256) : 0xb8468000 0x00005000 "\SystemRoot\System32\Drivers\Msfs.SYS"
.\debug.cpp(256) : 0xb8478000 0x00008000 "\SystemRoot\System32\Drivers\Npfs.SYS"
.\debug.cpp(256) : 0xb7c81000 0x00003000 "\SystemRoot\system32\DRIVERS\rasacd.sys"
.\debug.cpp(256) : 0xb424f000 0x00013000 "\SystemRoot\system32\DRIVERS\ipsec.sys"
.\debug.cpp(256) : 0xb41f6000 0x00059000 "\SystemRoot\system32\DRIVERS\tcpip.sys"
.\debug.cpp(256) : 0xb41d0000 0x00026000 "\SystemRoot\system32\DRIVERS\ipnat.sys"
.\debug.cpp(256) : 0xb41a8000 0x00028000 "\SystemRoot\system32\DRIVERS\netbt.sys"
.\debug.cpp(256) : 0xb82d8000 0x00009000 "\SystemRoot\system32\DRIVERS\wanarp.sys"
.\debug.cpp(256) : 0xb415e000 0x00022000 "\SystemRoot\System32\drivers\afd.sys"
.\debug.cpp(256) : 0xb82e8000 0x00009000 "\SystemRoot\system32\DRIVERS\netbios.sys"
.\debug.cpp(256) : 0xb82f8000 0x0000f000 "\SystemRoot\system32\DRIVERS\arp1394.sys"
.\debug.cpp(256) : 0xb8498000 0x00006000 "\SystemRoot\system32\DRIVERS\ssmdrv.sys"
.\debug.cpp(256) : 0xb8308000 0x0000b000 "\SystemRoot\System32\Drivers\SCDEmu.SYS"
.\debug.cpp(256) : 0xb4093000 0x0002b000 "\SystemRoot\system32\DRIVERS\rdbss.sys"
.\debug.cpp(256) : 0xb4023000 0x00070000 "\SystemRoot\system32\DRIVERS\mrxsmb.sys"
.\debug.cpp(256) : 0xb8318000 0x0000b000 "\SystemRoot\System32\Drivers\Fips.SYS"
.\debug.cpp(256) : 0xb3ffd000 0x00026000 "\SystemRoot\system32\DRIVERS\avipbb.sys"
.\debug.cpp(256) : 0xb8626000 0x00002000 "\??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys"
.\debug.cpp(256) : 0xb8628000 0x00002000 "\SystemRoot\system32\drivers\AsIO.sys"
.\debug.cpp(256) : 0xb429a000 0x00003000 "\SystemRoot\system32\DRIVERS\hidusb.sys"
.\debug.cpp(256) : 0xb77e8000 0x00010000 "\SystemRoot\System32\Drivers\Cdfs.SYS"
.\debug.cpp(256) : 0xb8380000 0x00008000 "\SystemRoot\system32\DRIVERS\usbccgp.sys"
.\debug.cpp(256) : 0xb345c000 0x00b79000 "\SystemRoot\system32\DRIVERS\snp2sxp.sys"
.\debug.cpp(256) : 0xb77d8000 0x0000d000 "\SystemRoot\system32\DRIVERS\STREAM.SYS"
.\debug.cpp(256) : 0xb83a8000 0x00007000 "\SystemRoot\system32\DRIVERS\SNCAMD.SYS"
.\debug.cpp(256) : 0xb77c8000 0x0000f000 "\SystemRoot\system32\drivers\usbaudio.sys"
.\debug.cpp(256) : 0xb4286000 0x00003000 "\SystemRoot\system32\drivers\danew.sys"
.\debug.cpp(256) : 0xb83b8000 0x00005000 "\SystemRoot\System32\Drivers\Arctosa.sys"
.\debug.cpp(256) : 0xb3444000 0x00018000 "\SystemRoot\System32\Drivers\dump_atapi.sys"
.\debug.cpp(256) : 0xb8634000 0x00002000 "\SystemRoot\System32\Drivers\dump_WMILIB.SYS"
.\debug.cpp(256) : 0xbf800000 0x001c5000 "\SystemRoot\System32\win32k.sys"
.\debug.cpp(256) : 0xb419c000 0x00003000 "\SystemRoot\System32\drivers\Dxapi.sys"
.\debug.cpp(256) : 0xb8400000 0x00005000 "\SystemRoot\System32\watchdog.sys"
.\debug.cpp(256) : 0xbd000000 0x00012000 "\SystemRoot\System32\drivers\dxg.sys"
.\debug.cpp(256) : 0xb86bb000 0x00001000 "\SystemRoot\System32\drivers\dxgthk.sys"
.\debug.cpp(256) : 0xbd012000 0x0060f000 "\SystemRoot\System32\nv4_disp.dll"
.\debug.cpp(256) : 0xbffa0000 0x00047000 "\SystemRoot\System32\ATMFD.DLL"
.\debug.cpp(256) : 0xb30c2000 0x00015000 "\SystemRoot\system32\DRIVERS\avgntflt.sys"
.\debug.cpp(256) : 0xb30b2000 0x00004000 "\SystemRoot\system32\DRIVERS\ndisuio.sys"
.\debug.cpp(256) : 0xb2db5000 0x00015000 "\SystemRoot\system32\drivers\wdmaud.sys"
.\debug.cpp(256) : 0xb3042000 0x0000f000 "\SystemRoot\system32\drivers\sysaudio.sys"
.\debug.cpp(256) : 0xb2d3d000 0x0002d000 "\SystemRoot\system32\DRIVERS\mrxdav.sys"
.\debug.cpp(256) : 0xb8616000 0x00002000 "\SystemRoot\System32\Drivers\ParVdm.SYS"
.\debug.cpp(256) : 0xb2737000 0x00011000 "\SystemRoot\System32\Drivers\adfs.SYS"
.\debug.cpp(256) : 0xb2828000 0x00004000 "\??\C:\WINDOWS\system32\drivers\cpuz133_x32.sys"
.\debug.cpp(256) : 0xb281c000 0x00004000 "\??\C:\WINDOWS\system32\drivers\cpuz134_x32.sys"
.\debug.cpp(256) : 0xb24d7000 0x00058000 "\SystemRoot\system32\DRIVERS\srv.sys"
.\debug.cpp(256) : 0xb0def000 0x00041000 "\SystemRoot\System32\Drivers\HTTP.sys"
.\debug.cpp(256) : 0xafc7c000 0x0002b000 "\SystemRoot\system32\drivers\kmixer.sys"
.\debug.cpp(256) : 0x7c900000 0x000b2000 "\WINDOWS\system32\ntdll.dll"
.\debug.cpp(263) : **********************************************
.\debug.cpp(307) : *** [ DEVICE OBJECTS INFORMATION ] ***********
.\debug.cpp(308) : **********************************************
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\D:"
.\debug.cpp(400) : Destination "\Device\CdRom0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY1"
.\debug.cpp(400) : Destination "\Device\Video0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi3:"
.\debug.cpp(400) : Destination "\Device\Ide\IdePort3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDIS"
.\debug.cpp(400) : Destination "\Device\Ndis"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_6_Model_23#_1#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
.\debug.cpp(400) : Destination "\Device\00000042"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPPOEMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000034"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{71985f4a-1ca1-11d3-9cc8-00c04f7971e0}"
.\debug.cpp(400) : Destination "\Device\0000003c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY2"
.\debug.cpp(400) : Destination "\Device\Video1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0887&SUBSYS_1043837B&REV_1002#4&219b05b7&0&0001#{dda54a40-1e4c-11d1-a050-405705c10000}"
.\debug.cpp(400) : Destination "\Device\00000085"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ffbb6e3f-ccfe-4d84-90d9-421418b03a8e}"
.\debug.cpp(400) : Destination "\Device\0000003c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY3"
.\debug.cpp(400) : Destination "\Device\Video2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0c45&Pid_62b3&MI_00#6&14b37ee3&0&0000#{6994ad05-93ef-11d0-a3cc-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\0000008c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_1532&Pid_010b#5&385a3465&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
.\debug.cpp(400) : Destination "\Device\USBPDO-11"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ip"
.\debug.cpp(400) : Destination "\Device\Ip"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{3076b6aa-9c7d-11de-a3c5-806d6172696f}"
.\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_6_Model_23#_3#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
.\debug.cpp(400) : Destination "\Device\00000044"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{98E300F4-D296-4F0F-B5C8-9C30014CF4E3}"
.\debug.cpp(400) : Destination "\Device\{98E300F4-D296-4F0F-B5C8-9C30014CF4E3}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_NDISWANIP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000033"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY4"
.\debug.cpp(400) : Destination "\Device\Video3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\avgio"
.\debug.cpp(400) : Destination "\Device\avgio"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0925&Pid_03e8#5&2e573136&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
.\debug.cpp(400) : Destination "\Device\USBPDO-8"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ATKACPI"
.\debug.cpp(400) : Destination "\Device\ATKACPI"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\E:"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Arctosa"
.\debug.cpp(400) : Destination "\Device\Arctosa"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPSECDev"
.\debug.cpp(400) : Destination "\Device\IPSEC"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&33d5ef4b&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination "\Device\USBPDO-5"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\CDR4_XP"
.\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{C567FFA8-3DEB-4CC3-BB3E-BD7CBC59612F}"
.\debug.cpp(400) : Destination "\Device\{C567FFA8-3DEB-4CC3-BB3E-BD7CBC59612F}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9aa4a2cc-81e0-4cfd-802f-0f74526d2bd3}"
.\debug.cpp(400) : Destination "\Device\0000003c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_0E22&SUBSYS_34FC1458&REV_A1#4&399d3c6a&0&0008#{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0020"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_3A37&SUBSYS_82D41043&REV_00#3&11583659&0&D0#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0002"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_3A3C&SUBSYS_82D41043&REV_00#3&11583659&0&D7#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0005"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi4:"
.\debug.cpp(400) : Destination "\Device\Scsi\JRAID1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_1532&Pid_0016#6&1cfd2965&0&0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination "\Device\00000090"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDPROXY"
.\debug.cpp(400) : Destination "\Device\NDProxy"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{fd0a5af4-b41d-11d2-9c95-00c04f7971e0}"
.\debug.cpp(400) : Destination "\Device\0000003c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3c0d501a-140b-11d1-b40f-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\0000003c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\$VDMLPT1"
.\debug.cpp(400) : Destination "\Device\ParallelVdm0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHL-DT-ST_DVDRAM_GH22NS50________________TN00____#344b395542373532333020322020202020202020#{1186654d-47b8-48b9-beb9-7df113ae3c67}"
.\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-e"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_197B&DEV_2361&SUBSYS_83871043&REV_02#4&34ebacd6&0&00E4#{2accfe60-c130-11d2-b082-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0023"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0887&SUBSYS_1043837B&REV_1002#4&219b05b7&0&0001#{86841137-ed8e-4d97-9975-f2ed56b4430e}"
.\debug.cpp(400) : Destination "\Device\00000085"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM1"
.\debug.cpp(400) : Destination "\Device\Serial0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\F:"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_0925&Pid_03e8#6&27eb7b13&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
.\debug.cpp(400) : Destination "\Device\0000008b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\WMIDataDevice"
.\debug.cpp(400) : Destination "\Device\WMIDataDevice"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_6_Model_23#_0#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
.\debug.cpp(400) : Destination "\Device\00000041"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{dff220f3-f70f-11d0-b917-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\0000003c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev0"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\avgntflt"
.\debug.cpp(400) : Destination "\FileSystem\Filters\avgntflt"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PIPE"
.\debug.cpp(400) : Destination "\Device\NamedPipe"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev1"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_1532&Pid_0016#5&385a3465&0&1#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
.\debug.cpp(400) : Destination "\Device\USBPDO-10"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{2eb07ea0-7e70-11d0-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination "\Device\0000003c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c5066e-72c1-11d2-9755-0000f8004788}"
.\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\GEARAspiWDMDevice"
.\debug.cpp(400) : Destination "\Device\GEARAspiWDMDevice"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{0a4252a0-7e70-11d0-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination "\Device\0000003c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_3A35&SUBSYS_82D41043&REV_00#3&11583659&0&E9#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0012"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPNAT"
.\debug.cpp(400) : Destination "\Device\IPNAT"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev2"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\UNC"
.\debug.cpp(400) : Destination "\Device\Mup"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\G:"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PSched"
.\debug.cpp(400) : Destination "\Device\PSched"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\0000003c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{67AC1517-F63D-4067-8874-7907E1F32D4A}"
.\debug.cpp(400) : Destination "\Device\{67AC1517-F63D-4067-8874-7907E1F32D4A}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Tcp"
.\debug.cpp(400) : Destination "\Device\Tcp"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev3"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgrMsg"
.\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgrMsg"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#GSPYVHid&Col01#1&3ac5b05f&3&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
.\debug.cpp(400) : Destination "\Device\0000007a"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#GSPYVHid&Col03#1&3ac5b05f&3&0002#{4d1e55b2-f16f-11cf-88cb-001111000030}"
.\debug.cpp(400) : Destination "\Device\0000007c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD0"
.\debug.cpp(400) : Destination "\Device\USBFDO-0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PTIMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000038"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev4"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd4"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\LCD"
.\debug.cpp(400) : Destination "\Device\VideoPdo0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#WACOMVIRTUALHID&Col02#1&2d595ca7&1&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}"
.\debug.cpp(400) : Destination "\Device\00000077"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD1"
.\debug.cpp(400) : Destination "\Device\USBFDO-1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive0"
.\debug.cpp(400) : Destination "\Device\Harddisk0\DR0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{cf1dda2c-9743-11d0-a3ee-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\0000003c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_3A39&SUBSYS_82D41043&REV_00#3&11583659&0&D2#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0004"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0001#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000037"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_1969&DEV_1026&SUBSYS_831C1043&REV_B0#4&20515db1&0&00E5#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0024"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev5"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd5"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PRN"
.\debug.cpp(400) : Destination "\DosDevices\LPT1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{53172480-4791-11d0-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination "\Device\0000003c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD2"
.\debug.cpp(400) : Destination "\Device\USBFDO-2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB20#4&290cafbe&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination "\Device\USBPDO-0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom0"
.\debug.cpp(400) : Destination "\Device\CdRom0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000036"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev6"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd6"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\fsWrap"
.\debug.cpp(400) : Destination "\Device\FsWrap"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_1532&Pid_010b&MI_00#7&115d5c07&0&0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination "\Device\00000093"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\sysaudio"
.\debug.cpp(400) : Destination "\Device\sysaudio"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0887&SUBSYS_1043837B&REV_1002#4&219b05b7&0&0001#{65e8773d-8f56-11d0-a3b9-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\00000085"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{97ebaacb-95bd-11d0-a3ea-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\0000003c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD3"
.\debug.cpp(400) : Destination "\Device\USBFDO-3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&30a96598&0&SignatureBFCFBFCFOffset7E00LengthE8E0358200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev7"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd7"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0c45&Pid_62b3#5&c0aa250&0&1#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
.\debug.cpp(400) : Destination "\Device\USBPDO-9"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0c45&Pid_62b3&MI_01#6&14b37ee3&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\0000008d"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#WACOMVIRTUALHID&Col03#1&2d595ca7&1&0002#{4d1e55b2-f16f-11cf-88cb-001111000030}"
.\debug.cpp(400) : Destination "\Device\00000078"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD4"
.\debug.cpp(400) : Destination "\Device\USBFDO-4"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0C#aa#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
.\debug.cpp(400) : Destination "\Device\00000047"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#FixedButton#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
.\debug.cpp(400) : Destination "\Device\00000048"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_3A3A&SUBSYS_82D41043&REV_00#3&11583659&0&EF#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0014"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_3A34&SUBSYS_82D41043&REV_00#3&11583659&0&E8#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0011"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Global"
.\debug.cpp(400) : Destination "\GLOBAL??"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD5"
.\debug.cpp(400) : Destination "\Device\USBFDO-5"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PxHelperDevice0"
.\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{A533DA3B-A111-4DE1-895A-37675D50F4EC}"
.\debug.cpp(400) : Destination "\Device\{A533DA3B-A111-4DE1-895A-37675D50F4EC}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0501#1#{86e0d1e0-8089-11d0-9ce4-08003e301f73}"
.\debug.cpp(400) : Destination "\Device\0000006b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD6"
.\debug.cpp(400) : Destination "\Device\USBFDO-6"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0887&SUBSYS_1043837B&REV_1002#4&219b05b7&0&0001#{65e8773e-8f56-11d0-a3b9-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\00000085"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50671-72c1-11d2-9755-0000f8004788}"
.\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&1bd273f9&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination "\Device\USBPDO-3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD7"
.\debug.cpp(400) : Destination "\Device\USBFDO-7"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHL-DT-ST_DVDRAM_GH22NS50________________TN00____#344b395542373532333020322020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-e"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_197B&DEV_2380&SUBSYS_83131043&REV_00#4&16822c0b&0&00E1#{6bdd1fc1-810f-11d0-bec7-08002be2092f}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0022"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0401#4&2bc541ba&0#{97f76ef0-f883-11d0-af1f-0000f800845c}"
.\debug.cpp(400) : Destination "\Device\00000064"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9ea331fa-b91b-45f8-9285-bd2bc77afcde}"
.\debug.cpp(400) : Destination "\Device\0000003c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad809c00-7b88-11d0-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination "\Device\0000003c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3e227e76-690d-11d2-8161-0000f8775bf1}"
.\debug.cpp(400) : Destination "\Device\0000003c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{9241C8EA-72DE-4B1E-A38F-9173EB35E893}"
.\debug.cpp(400) : Destination "\Device\{9241C8EA-72DE-4B1E-A38F-9173EB35E893}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{07dad660-22f1-11d1-a9f4-00c04fbbde8f}"
.\debug.cpp(400) : Destination "\Device\0000003c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ARP1394"
.\debug.cpp(400) : Destination "\Device\ARP1394"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\V1394#NIC1394#71022010020#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\0000006d"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{77D8FD89-7241-4671-8CB3-B4C050C62675}"
.\debug.cpp(400) : Destination "\Device\{77D8FD89-7241-4671-8CB3-B4C050C62675}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0501#1#{4d36e978-e325-11ce-bfc1-08002be10318}"
.\debug.cpp(400) : Destination "\Device\0000006b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_1532&Pid_010b&MI_00#7&115d5c07&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
.\debug.cpp(400) : Destination "\Device\00000093"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0c45&Pid_62b3&MI_00#6&14b37ee3&0&0000#{fb6c428a-0353-11d1-905f-0000c0cc16ba}"
.\debug.cpp(400) : Destination "\Device\0000008c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0c45&Pid_62b3&MI_00#6&14b37ee3&0&0000#{65e8773d-8f56-11d0-a3b9-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\0000008c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\MbDlDp32"
.\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_6_Model_23#_2#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
.\debug.cpp(400) : Destination "\Device\00000043"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_L2TPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000032"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ssmctl"
.\debug.cpp(400) : Destination "\Device\ssmctl"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50674-72c1-11d2-9755-0000f8004788}"
.\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#WACOMVIRTUALHID&Col04#1&2d595ca7&1&0003#{4d1e55b2-f16f-11cf-88cb-001111000030}"
.\debug.cpp(400) : Destination "\Device\00000079"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\MountPointManager"
.\debug.cpp(400) : Destination "\Device\MountPointManager"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#ftdisk#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\00000002"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Artemis.00"
.\debug.cpp(400) : Destination "\Device\Artemis.00"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#WACOMVIRTUALHID&Col03#1&2d595ca7&1&0002#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination "\Device\00000078"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHL-DT-ST_DVDRAM_GH22NS50________________TN00____#344b395542373532333020322020202020202020#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-e"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DANew"
.\debug.cpp(400) : Destination "\Device\DANew"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\WanArp"
.\debug.cpp(400) : Destination "\Device\WANARP"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#WACOMVIRTUALHID&Col01#1&2d595ca7&1&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
.\debug.cpp(400) : Destination "\Device\00000076"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISWANIP"
.\debug.cpp(400) : Destination "\Device\NdisWanIp"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\0000003c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\CPUZ133"
.\debug.cpp(400) : Destination "\Device\cpuz133"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB20#4&3097edfd&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination "\Device\USBPDO-4"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_3A38&SUBSYS_82D41043&REV_00#3&11583659&0&D1#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0003"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi0:"
.\debug.cpp(400) : Destination "\Device\Ide\IdePort0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{fbf6f530-07b9-11d2-a71e-0000f8004788}"
.\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{bf963d80-c559-11d0-8a2b-00a0c9255ac1}"
.\debug.cpp(400) : Destination "\Device\0000003c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\CPUZ134"
.\debug.cpp(400) : Destination "\Device\cpuz134"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&14d59eda&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination "\Device\USBPDO-7"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\1394BUS0"
.\debug.cpp(400) : Destination "\Device\1394BUS0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{8F49DF83-B528-4C1E-AA08-19C4F4E79B5C}"
.\debug.cpp(400) : Destination "\Device\{8F49DF83-B528-4C1E-AA08-19C4F4E79B5C}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ADVirtualDiskDevice"
.\debug.cpp(400) : Destination "\Device\ADVirtualDisk\Control"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_1532&Pid_010b&MI_01&Col01#7&2920e84c&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
.\debug.cpp(400) : Destination "\Device\00000094"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK1"
.\debug.cpp(400) : Destination "\Device\ParTechInc0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPTPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000035"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{4747b320-62ce-11cf-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination "\Device\0000003c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_1532&Pid_0016#5&385a3465&0&1#{d2f9ad00-6ae9-11d5-88f8-0080c8ef5b74}"
.\debug.cpp(400) : Destination "\Device\USBPDO-10"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_1532&Pid_0016#6&1cfd2965&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
.\debug.cpp(400) : Destination "\Device\00000090"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{3076b6a8-9c7d-11de-a3c5-806d6172696f}"
.\debug.cpp(400) : Destination "\Device\CdRom0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{a7c7a5b1-5af3-11d1-9ced-00a024bf0407}"
.\debug.cpp(400) : Destination "\Device\0000003c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK2"
.\debug.cpp(400) : Destination "\Device\ParTechInc1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPMULTICAST"
.\debug.cpp(400) : Destination "\Device\IPMULTICAST"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi1:"
.\debug.cpp(400) : Destination "\Device\Ide\IdePort1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#GSPYVHid&Col03#1&3ac5b05f&3&0002#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination "\Device\0000007c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\LPT1"
.\debug.cpp(400) : Destination "\Device\NamedPipe\Spooler\LPT1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NdisWan"
.\debug.cpp(400) : Destination "\Device\NdisWan"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISTAPI"
.\debug.cpp(400) : Destination "\Device\NdisTapi"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK3"
.\debug.cpp(400) : Destination "\Device\ParTechInc2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{586924D0-96B4-4B88-AD6B-2B72A4700998}"
.\debug.cpp(400) : Destination "\Device\{586924D0-96B4-4B88-AD6B-2B72A4700998}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_3A36&SUBSYS_82D41043&REV_00#3&11583659&0&EA#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0013"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#GSPYVHid&Col02#1&3ac5b05f&3&0001#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination "\Device\0000007b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_1532&Pid_010b&MI_01&Col02#7&2920e84c&0&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}"
.\debug.cpp(400) : Destination "\Device\00000095"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Shadow"
.\debug.cpp(400) : Destination "\Device\LanmanRedirector"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&67e9d0c&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination "\Device\USBPDO-1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\FtControl"
.\debug.cpp(400) : Destination "\Device\FtControl"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgr"
.\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgr"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#GSPYVHid&Col02#1&3ac5b05f&3&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}"
.\debug.cpp(400) : Destination "\Device\0000007b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\C:"
.\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\AUX"
.\debug.cpp(400) : Destination "\DosDevices\COM1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\MAILSLOT"
.\debug.cpp(400) : Destination "\Device\MailSlot"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\LPTENUM#MicrosoftRawPort#5&22755735&0&LPT1#{811fc6a5-f728-11d0-a537-0000f8753ed1}"
.\debug.cpp(400) : Destination "\Device\Parallel0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi2:"
.\debug.cpp(400) : Destination "\Device\Ide\IdePort2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_MOU#0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ndisuio"
.\debug.cpp(400) : Destination "\Device\Ndisuio"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\GLOBALROOT"
.\debug.cpp(400) : Destination ""
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NUL"
.\debug.cpp(400) : Destination "\Device\Null"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&3141bc6c&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination "\Device\USBPDO-2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_KBD#0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination "\Device\0000003a"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0c45&Pid_62b3&MI_01#6&14b37ee3&0&0001#{65e8773d-8f56-11d0-a3b9-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\0000008d"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Asusgio"
.\debug.cpp(400) : Destination "\Device\Asusgio"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NONSPOOLED_LPT1"
.\debug.cpp(400) : Destination "\Device\Parallel0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#DiskHitachi_HDT721010SLA360_________________ST6OA3AA#5&2ea7e938&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP0T0L0-3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0887&SUBSYS_1043837B&REV_1002#4&219b05b7&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\00000085"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\avipbb"
.\debug.cpp(400) : Destination "\Device\avipbb"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&1d34232f&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination "\Device\USBPDO-6"
.\debug.cpp(409) : --
.\debug.cpp(453) : **********************************************
.\boot_cleaner.cpp(565) : System volume is \\.\C:
.\boot_cleaner.cpp(600) : \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
.\boot_cleaner.cpp(276) : Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd
.\boot_cleaner.cpp(1060) :
.\boot_cleaner.cpp(1061) : Size Device Name MBR Status
.\boot_cleaner.cpp(1062) : --------------------------------------------
.\boot_cleaner.cpp(1106) : 931 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
.\boot_cleaner.cpp(1112) :
.\boot_cleaner.cpp(1151) : Done;
 
You're welcome! Glad to help. System is clean! A heads up for you: whenever you download a program, look carefully at the download page/site. Frequently you'll see items pre-checked so that you will automatically get them along with the download. You don't want these extras! Uncheck before download.

The Asktoolbar was all over your system. I don't know of anyone who actually downloads it intentionally, so I expect you had some pre-checked downloads.
==========================================
Tips for added security and safer browsing:
  1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
    This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
  2. Have layered Security:
    • Antivirus Software(only one):Both of the following programs are free and known to be good:
      [o]Avira Free
      [o]Avast Home
    • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    • Antispyware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
      [o]Download ZonedOut and save to your desktop. this replaces IE/Spyad and manages the Zones in Internet explorer. This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.(For IE7 and IE8, Windows 2000 thru Vista. No Windows 7 yet.)

      Known issue: If you have "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...
      [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
      [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
  3. Stay current on updates:
    [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
    [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
  4. Reset Cookies to prevent Tracking Cookies:
    [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
    [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List
  5. Do regular Maintenance
    Remove Temporary Internet Files regularly:
    [o]ATF Cleaner by Atribune
    OR
    [o]TFC
    Disable and Enable System Restore:
    [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
  6. Practice Safe Email Handling
    [o] Don't open email from anyone you don't know.
    [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
    [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
Have a Happy and Peaceful Holiday!
peace_dove_bigger_normal.jpg
 
I think it's safe to say, the problem has solved. I cannot thank you enough. Not only have you helped me, but you have explained to me why these things had happened in a way that is easy to understand. I will take extra caution from now on, and make note of the six tips you have provided me.

I wish you a Merry Christmas!
 
Status
Not open for further replies.

Similar threads

midian182
Google's AI-powered search can recommend malicious sites, including scams and malware
Replies
6
Views
121
James Ryan
J
M
Web Meeting disconnects even though internet is connected
Replies
1
Views
605
madhav04
M
Cal Jeffrey
Hackers are using Punycode to create authentic-looking URLs in Google ads
Replies
8
Views
386
FF222
F

Latest posts

Back